Hi Team,
I have multiple sources in sourcetype. Want to see difference of result from last two sources. Latest source is "date_10162019.csv", and last source is "data_10102019.csv"
I am calculating the result based on latest source and before latest source of a sourcetype from below. And I have to show in trend with difference in up /down arrow.
index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz| table source,_time,sourcetype,host | dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
Output is like
source per
data_10162019.csv 89
data_10102019.csv 60
I want to show this result in trend , as single value showing latest source output (i.e 89) and in arrow sowing their difference (i.e 29).
Please help.
| stats count
| eval _raw="source,per
data_10162019.csv,89
data_10102019.csv,60"
| multikv forceheader=1
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time
Hi, this is sample query.
index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz
| table source,_time,sourcetype,host
| dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time
how about this?
Hi @to4kawa
There is another requirement to show trend in last column of table. I have table showing user , result from last source and from latest source. Now want to take difference of results and display in last column in trend. Please help.
Without a sample log, it's hard to understand.
Can you ask me another question?
@to4kawa ,
user latest_source_perc last_source_perc difference
xyz 76 70 6
abc 86 82 4
Wanted to show the output like this (where last column will show trend with arrow or sparkline)
user latest_source_perc trend_with arrow
xyz 76 76
6
abc 86 82
4
<dashboard>
<label>test2</label>
<search id="baseSearch">
<query>
| stats count
| eval _raw="user,latest_source_perc,last_source_perc,difference
xyz,76,70,6
abc,86,82,4"
| multikv forceheader=1
| table user last_source_perc latest_source_perc
</query>
</search>
<row>
<panel>
<title>Base Seach Result</title>
<table>
<search base="baseSearch">
<query>| transpose</query>
</search>
</table>
</panel>
</row>
<row>
<panel>
<title>xyz</title>
<single>
<search base="baseSearch">
<query>| transpose
| fields "row 1"
| streamstats count as _time
| where _time!=1</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>abc</title>
<single>
<search base="baseSearch">
<query>| transpose
| fields "row 2"
| streamstats count as _time
| where _time!=1</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
</dashboard>
Hello,
it seems like you want to use a sparkline in a single value visualization. The second link gives the most important information about it, namely that you need to use the timechart command to be able to get your desired visualization. (You've been using table instead.)
| stats count
| eval _raw="source,per
data_10162019.csv,89
data_10102019.csv,60"
| multikv forceheader=1
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time
Hi, this is sample query.
index="idx" sourcetype=xyz [| search index="idx" sourcetype=xyz
| table source,_time,sourcetype,host
| dedup source | sort -_time | head 2 | table source]
| table _time "Application Name", source,Status,Environment,sm
| eval status = (some eval condition)
| eval deploy = (some condition)
| search "Status" = Eligible AND "Environment" = Dev
| stats sum(status) as status_sm, sum(deploy) as build , count as count by source
| eval count= count - ( status_sm + build)
| eval per= round((sm)*100/count)
| table source per
| rex field=source "data_(?<time>\d+)"
| eval _time=strptime(time,"%m%d%Y")
| fields _time per source
| sort _time
how about this?
@to4kawa Thank you. It perfectly worked for me.